Closed
Bug 1464243
Opened 6 years ago
Closed 6 years ago
Assertion failure: aOutSlice.TopBottom() <= minSize.height, at src/gfx/thebes/gfxBlur.cpp:493
Categories
(Core :: Graphics: Layers, defect)
Core
Graphics: Layers
Tracking
()
RESOLVED
FIXED
mozilla62
People
(Reporter: tsmith, Assigned: nical)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 1 obsolete file)
211 bytes,
text/html
|
Details | |
2.03 KB,
patch
|
bas.schouten
:
review+
|
Details | Diff | Splinter Review |
Reproduced with m-c: BuildID=20180523220103 SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc Assertion failure: aOutSlice.TopBottom() <= minSize.height, at src/gfx/thebes/gfxBlur.cpp:493 #0 ComputeMinSizeForShadowShape(mozilla::gfx::RectCornerRadii const*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) src/gfx/thebes/gfxBlur.cpp:492:3 #1 GetBlur(gfxContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectCornerRadii const*, mozilla::gfx::Color const&, bool, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>&) src/gfx/thebes/gfxBlur.cpp:579:5 #2 gfxAlphaBoxBlur::BlurRectangle(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::RectCornerRadii const*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::Color const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&) src/gfx/thebes/gfxBlur.cpp:963:37 #3 nsContextBoxBlur::BlurRectangle(gfxContext*, nsRect const&, int, mozilla::gfx::RectCornerRadii*, int, mozilla::gfx::Color const&, nsRect const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&) src/layout/painting/nsCSSRendering.cpp:4618:3 #4 nsCSSRendering::PaintBoxShadowOuter(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, float) src/layout/painting/nsCSSRendering.cpp:1768:7 #5 nsDisplayBoxShadowOuter::Paint(nsDisplayListBuilder*, gfxContext*) src/layout/painting/nsDisplayList.cpp:5776:5 #6 mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::AssignedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) src/layout/painting/FrameLayerBuilder.cpp:6434:15 #7 mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/painting/FrameLayerBuilder.cpp:6591:19 #8 mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicPaintedLayer.cpp:94:9 #9 mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:706:13 #10 mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp #11 mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:729:7 #12 mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp #13 mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:616:5 #14 mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, gfxContext*) src/layout/painting/FrameLayerBuilder.cpp:4051:12 #15 mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::AssignedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) src/layout/painting/FrameLayerBuilder.cpp:6420:7 #16 mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/painting/FrameLayerBuilder.cpp:6591:19 #17 mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) src/gfx/layers/client/ClientPaintedLayer.cpp:158:5 #18 mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) src/gfx/layers/client/ClientPaintedLayer.cpp:314:3 #19 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29 #20 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29 #21 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29 #22 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29 #23 mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:359:13 #24 mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:423:3 #25 nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2800:19 #26 nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3843:12 #27 mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6312:5 #28 nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19 #29 nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33 #30 nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5 #31 nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2039:11 #32 mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301:7 #33 mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:320:5 #34 mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:760:5 #35 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:673:35 #36 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:574:9 #37 mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16 #38 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #39 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28 #40 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25 #41 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17 #42 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5 #43 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15 #44 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #45 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #46 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #47 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10 #48 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3 #49 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #50 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #51 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9 #52 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10 #53 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3 #54 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #55 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #56 main src/browser/app/nsBrowserApp.cpp:282:18 #57 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #58 _start (firefox+0x423434)
Flags: in-testsuite?
Assignee | ||
Comment 1•6 years ago
|
||
The test case has a -webkit-perspective: 1px applied which is pretty intense. My guess is that we are be getting a huge rect here https://searchfox.org/mozilla-central/rev/bf4def01bf8f6ff0d18f02f2d7e9efc73e12c63f/layout/painting/nsCSSRendering.cpp#4610 and overflow later when converting it to int here https://searchfox.org/mozilla-central/rev/bf4def01bf8f6ff0d18f02f2d7e9efc73e12c63f/gfx/thebes/gfxBlur.cpp#959.
Assignee | ||
Comment 2•6 years ago
|
||
Interestingly I wasn't able to trigger the assertion with this test case. That said the values I get for the rect are indeed well beyond the range of values that we can properly handle, so it can't hurt to add a safe-guard at the beginning of BlurRectangle that early-returns if we have a size that we know we won't be able to allocate an intermediate surface for, or xy cordinates that later won't fit into a 16.16 fixed point that some of the painting backends typically use.
Assignee: nobody → nical.bugzilla
Attachment #8980583 -
Flags: review?(bas)
Comment 3•6 years ago
|
||
Comment on attachment 8980583 [details] [diff] [review] Bail early when running into a blur rect that we know won't be able to render. Review of attachment 8980583 [details] [diff] [review]: ----------------------------------------------------------------- ::: gfx/thebes/gfxBlur.cpp @@ +955,5 @@ > const gfxRect& aDirtyRect, > const gfxRect& aSkipRect) > { > + const double max = (double)gfxPlatform::MaxTextureSize(); > + const double max_coord = (double)std::numeric_limits<std::int16_t>::max(); nit: maxCoord, you're not in rust code here :-). More importantly, why can't we limit this to int32_t max?
Updated•6 years ago
|
Flags: needinfo?(nical.bugzilla)
Assignee | ||
Comment 4•6 years ago
|
||
> More importantly, why can't we limit this to int32_t max?
I used int16 because some of the painting backends will eventually convert these values to 16.16 fixed point so the that's the safe range to use. I think that the int16 range is more than enough in this particular case but in a subsequent patch that adds debug assertions everywhere we cast points, rects and sizes, I used a more conservative range (int32 max) instead.
I subtracted one to be safe since the value can be rounded up or down.
Flags: needinfo?(nical.bugzilla)
Assignee | ||
Comment 5•6 years ago
|
||
TBH I don't feel very strongly about int16 vs int32 in this case. I think that int16 is fine (as a limitation) and safer but it might just be ok to go with int32 and let the painting backend deal with potential overflow (which I hope they do properly).
Assignee | ||
Comment 6•6 years ago
|
||
Same patch without the snake case. Lemme know if you prefer to use int32 max as the limit instead of int16 max.
Attachment #8980583 -
Attachment is obsolete: true
Attachment #8980583 -
Flags: review?(bas)
Attachment #8981099 -
Flags: review?(bas)
Comment 7•6 years ago
|
||
Comment on attachment 8981099 [details] [diff] [review] Bail early when running into a blur rect that we know won't be able to render. Review of attachment 8981099 [details] [diff] [review]: ----------------------------------------------------------------- Nah it's fine.
Attachment #8981099 -
Flags: review?(bas) → review+
Pushed by nsilva@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/86ef0de352d2 Early return when running into blur rects that are way too large. r=Bas
Comment 9•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/86ef0de352d2
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment 10•6 years ago
|
||
Can we land the attached testcase as a crashtest?
status-firefox60:
--- → wontfix
status-firefox61:
--- → wontfix
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: needinfo?(nical.bugzilla)
Assignee | ||
Comment 11•6 years ago
|
||
> Can we land the attached testcase as a crashtest? Sorry for the delay, added in bug 1474940.
Flags: needinfo?(nical.bugzilla)
You need to log in
before you can comment on or make changes to this bug.
Description
•